Chinese regulators are reportedly looking to avoid a fresh confrontation with US companies amidst sensitive trade negotiations
China’s government is delaying the enforcement of a controversial security measure that would restrict foreign companies from transferring certain types of data out of the country due to ongoing trade talks with the US, the Financial Times reported.
Regulators had planned to begin enforcing the new rules by the end of last year, but delayed doing so to avoid a fresh confrontation with US companies amidst sensitive trade talks, the FT said, citing unnamed people familiar with the matter.
Article 37 of China’s Cyber Security Law (CSL) states that operators of critical information infrastructure must store personal data and “important data” in China.
If it’s necessary for the data to be transported elsewhere, companies must carry out a security review or, in particularly sensitive cases, must bring in local regulators to make the assessment.
Industry watchers say the vagueness of the definition of “important data”, makes it impossible for firms to ensure they’re compliant with the new rules.
“The sheer scope of the CSL is mind-boggling. And… it is also extremely vague,” London-based strategic consultancy Control Risks wrote in a report at the time of the law’s implementation.
“This means that it is currently impossible to be ‘compliant’.”
The rules specify “important data” as that which is related to economic development or the public interest.
In its 2019 APAC Data Protection Guide, law firm Hogan Lovells said questions remain around “important data” and the cases in which it is “necessary” to move it out of China.
“Significant uncertainty remains with respect to the scope and impact of Article 37,” the report states.
“The precise nature of substantive review of international transfers has not yet been clarified, and basic considerations such as the test of ‘necessity’ of a transfer and the criteria for assessing the adequacy of security measures have not yet been specified.”
China says the rules are intended to improve security, but lawyers cited by the FT said the measures also have the effect of putting pressure on international businesses to consider using local suppliers for services such as data storage, systems hosting and technology procurement, including encryption.
Financial services firms often move data out of the country to comply with transparency laws in other jurisdictions or to analyse data to find patterns associated with fraud, the FT said.
The new regulations could force firms to relocate analytics processes to China, possibly moving proprietary software and even staff into the country, according to the report.
The laws have caused some international firms to change their business practices in China, with Amazon Web Services, for instance, selling some of its Chinese cloud assets to partner Beijing Sinnet Technology Co.
Apple says its iCloud services in mainland China are now operated by a Chinese internet services company called Guizhou on the Cloud Big Data Industrial Development Co. (GCBD) in order to “comply with Chinese regulations”.